The Common Corruptions Benchmark is a standardized evaluation dataset that algorithmically applies 15 types of image corruptions—including Gaussian noise, motion blur, and JPEG compression—across five severity levels to assess a model's robustness to natural distribution shifts. It measures how performance degrades when inputs diverge from clean training data.
Glossary
Common Corruptions Benchmark

What is Common Corruptions Benchmark?
A systematic dataset for measuring model resilience to naturally occurring image degradations.
Introduced by Hendrycks & Dietterich, this benchmark computes the mean Corruption Error (mCE) by comparing a model's error rate under corruption to that of a baseline architecture. Unlike adversarial attacks, these corruptions simulate real-world sensor degradation, providing a critical metric for evaluating the reliability of computer vision models in safety-critical deployment environments.
Key Features of the Common Corruptions Benchmark
The Common Corruptions Benchmark systematically evaluates model robustness against 15 distinct visual corruptions across 5 severity levels, providing a standardized measure of resilience to natural distribution shifts.
Corruption Taxonomy
The benchmark defines 15 algorithmically generated corruptions grouped into four semantic categories:
- Noise: Gaussian, Shot, Impulse, Speckle
- Blur: Defocus, Glass, Motion, Zoom
- Weather: Snow, Frost, Fog, Brightness
- Digital: Contrast, Elastic, Pixelate, JPEG Compression
Each corruption simulates a real-world visual degradation that models encounter in production.
Severity Levels
Every corruption is applied at 5 distinct severity levels (1–5), creating a total of 75 corrupted variants per test image.
- Level 1: Subtle degradation, barely perceptible
- Level 3: Moderate distortion, challenging but recognizable
- Level 5: Severe corruption, significant information loss
This graduated approach reveals the precise point at which model performance collapses.
Evaluation Metrics
Robustness is quantified using two primary metrics:
- mCE (mean Corruption Error): Normalized error rate relative to AlexNet, measuring aggregate robustness across all corruptions
- Relative mCE: Performance degradation compared to clean data, isolating corruption-specific vulnerability
Lower mCE values indicate superior robustness. A score below 100 means the model outperforms the AlexNet baseline.
Dataset Composition
The benchmark is built on a curated subset of ImageNet validation data:
- 50,000 validation images (50 per class across 1,000 classes)
- Each image undergoes all 15 corruptions at all 5 severity levels
- Total benchmark size: 3.75 million corrupted images
This scale ensures statistically significant robustness comparisons between architectures.
Architectural Insights
Benchmark evaluations have revealed critical architectural properties:
- Transformer-based models (ViTs) exhibit higher corruption robustness than CNNs at equivalent accuracy
- Self-attention mechanisms provide inherent denoising capabilities
- Depthwise convolutions in EfficientNets show surprising vulnerability to high-frequency noise
- Training with augmentations like AugMix significantly reduces mCE without clean-data accuracy loss
Limitations and Extensions
Key limitations that have spawned derivative benchmarks:
- Synthetic-only: Corruptions are algorithmic approximations, not real-world photographs
- Single-source: Does not account for domain shift from sensor variation or geographic diversity
- Static severity: Real-world degradation is often compound and non-uniform
Extensions include Common Corruptions 3D for point clouds and ImageNet-C variants with additional corruptions like saturate and spatter.
Common Corruptions vs. Adversarial Robustness Benchmarks
A comparison of benchmarks evaluating model resilience to natural distribution shifts versus worst-case adversarial perturbations.
| Feature | Common Corruptions (CIFAR-10-C/ImageNet-C) | Adversarial Robustness (RobustBench/AutoAttack) | Out-of-Distribution Detection Benchmarks |
|---|---|---|---|
Perturbation Type | Algorithmically generated natural distortions (noise, blur, weather, digital) | Worst-case Lp-norm bounded adversarial perturbations | Semantically distinct samples from novel classes or distributions |
Threat Model | No adversary; evaluates passive robustness to distribution shift | White-box or black-box adversary with full or partial model access | No adversary; evaluates epistemic uncertainty and abstention capability |
Primary Metric | Mean Corruption Error (mCE) and Relative mCE | Robust accuracy under AutoAttack (AA) with L-infinity or L2 bound | AUROC, FPR at 95% TPR, and AUPR for OOD detection |
Standard Dataset | CIFAR-10-C, CIFAR-100-C, ImageNet-C (Hendrycks & Dietterich, 2019) | CIFAR-10, CIFAR-100, ImageNet (RobustBench leaderboard) | CIFAR-10 vs SVHN, CIFAR-100 vs Places365, ImageNet vs Textures |
Perturbation Severity | 5 severity levels per corruption type | Fixed epsilon bound (e.g., 8/255 for L-infinity) | |
Evaluation Protocol | Static test set with pre-generated corruptions | Adaptive evaluation with AutoAttack ensemble (APGD-CE, APGD-DLR, FAB, Square) | Threshold-based scoring using maximum softmax probability or energy scores |
Defense Strategy Evaluated | Data augmentation (AugMix, PixMix), self-supervised pretraining, architectural changes | Adversarial training (PGD-AT, TRADES), randomized smoothing, certified defenses | Density estimation, distance-based methods, confidence calibration, energy-based models |
Real-World Relevance | Simulates sensor noise, adverse weather, and compression artifacts in deployment | Simulates deliberate evasion attacks by malicious actors | Simulates encountering novel categories or domain shifts at inference time |
Frequently Asked Questions
Explore the foundational aspects of the Common Corruptions Benchmark, a critical tool for evaluating model resilience against natural distribution shifts like noise, blur, and weather artifacts.
The Common Corruptions Benchmark is a standardized dataset of algorithmically generated image corruptions designed to evaluate the robustness of image classification models to natural distribution shifts. It systematically applies 15 distinct corruption types—including Gaussian noise, motion blur, pixelation, and JPEG compression—at five severity levels to standard datasets like ImageNet. Unlike adversarial attacks that exploit model-specific gradients, these corruptions simulate real-world sensor degradation and environmental conditions. A model's performance is measured by its mean Corruption Error (mCE), which compares the classifier's error rate against a baseline (usually AlexNet) across all corruption types and severities, providing a holistic view of out-of-distribution generalization.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding the Common Corruptions Benchmark requires familiarity with the broader landscape of adversarial robustness evaluation, attack methodologies, and defensive techniques.
Adversarial Example
A maliciously perturbed input designed to cause a machine learning model to make a mistake while appearing unmodified to human observers. Unlike the natural corruptions in the Common Corruptions Benchmark, adversarial examples exploit gradient information to find minimal perturbations that maximize loss.
- Lp-norm constraints bound perturbation magnitude
- White-box attacks require full model access
- Black-box attacks rely on query-based transferability
Out-of-Distribution Detection
The task of identifying inputs that differ semantically from the training distribution, enabling models to abstain from unreliable predictions. The Common Corruptions Benchmark evaluates robustness to distribution shift, while OOD detection focuses on recognizing when an input is entirely foreign.
- Softmax thresholding uses confidence scores
- Energy-based models learn density estimates
- Mahalanobis distance measures feature-space deviation
Adversarial Training
A defensive technique that augments training data with adversarial examples to improve model robustness against malicious inputs. While the Common Corruptions Benchmark tests natural robustness, adversarial training primarily addresses worst-case perturbations.
- PGD-based training is the standard approach
- TRADES balances accuracy and robustness
- Often reduces performance on clean and naturally corrupted data
Certified Robustness
A formal guarantee that a model's prediction remains constant for all inputs within a mathematically defined perturbation bound. While the Common Corruptions Benchmark provides empirical evaluation, certified robustness offers provable guarantees against adversarial manipulation.
- Randomized smoothing provides probabilistic certificates
- Interval bound propagation computes worst-case bounds
- Satisfiability modulo theories (SMT) enables exact verification

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us